rfc9105xml2.original.xml   rfc9105.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XMLSPY v5 rel. 3 U (http://www.xmlspy.com)
by Daniel M Kohn (private) -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.2119.xml">
<!ENTITY RFC3775 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.3775.xml">
<!ENTITY RFC4225 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4225.xml">
<!ENTITY RFC4866 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4866.xml">
<!ENTITY RFC5213 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.5213.xml">
<!-- added by sjjeong: -->
<!ENTITY I-D.ietf-netlmm-pmip6-ipv4-support PUBLIC "" "http://xml.resource.org/p
ublic/rfc/bibxml3/reference.I-D.ietf-netlmm-pmip6-ipv4-support.xml">
<!ENTITY I-D.ietf-netlmm-grekey-option PUBLIC "" "http://xml.resource.org/public
/rfc/bibxml3/reference.I-D.ietf-netlmm-grekey-option.xml">
]>
<rfc category="std" docName="draft-ietf-opsawg-tacacs-yang-12"
ipr="trust200902">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?> <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<?rfc strict="yes" ?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-ietf-opsawg-tacac s-yang-12" number="9105" ipr="trust200902" obsoletes="" updates="" submissionTyp e="IETF" category="std" consensus="true" xml:lang="en" tocInclude="true" symRefs ="true" sortRefs="true" version="3">
<front> <front>
<title abbrev="TACACS+ YANG module">A YANG Module for TACACS+</title> <title abbrev="TACACS+ YANG Data Model">A YANG Data Model for Terminal Acces
s
Controller Access-Control System Plus (TACACS+)</title>
<seriesInfo name="RFC" value="9105"/>
<author fullname="Bo Wu" initials="B." role="editor" surname="Wu"> <author fullname="Bo Wu" initials="B." role="editor" surname="Wu">
<organization abbrev="Huawei">Huawei Technologies, Co., <organization abbrev="Huawei">Huawei Technologies, Co.,
Ltd</organization> Ltd</organization>
<address> <address>
<postal> <postal>
<street>101 Software Avenue, Yuhua District</street> <extaddr>Yuhua District</extaddr>
<street>101 Software Avenue</street>
<city>Nanjing</city> <city>Nanjing</city>
<region>Jiangsu</region> <region>Jiangsu</region>
<code>210012</code> <code>210012</code>
<country>China</country> <country>China</country>
</postal> </postal>
<email>lana.wubo@huawei.com</email> <email>lana.wubo@huawei.com</email>
</address> </address>
</author> </author>
<author fullname="Guangying Zheng" initials="G." surname="Zheng"> <author fullname="Guangying Zheng" initials="G." surname="Zheng">
<organization abbrev="Huawei">Huawei Technologies, Co., <organization abbrev="Huawei">Huawei Technologies, Co.,
Ltd</organization> Ltd</organization>
<address> <address>
<postal> <postal>
<street>101 Software Avenue, Yuhua District</street> <extaddr>Yuhua District</extaddr>
<street>101 Software Avenue</street>
<city>Nanjing</city> <city>Nanjing</city>
<region>Jiangsu</region> <region>Jiangsu</region>
<code>210012</code> <code>210012</code>
<country>China</country> <country>China</country>
</postal> </postal>
<email>zhengguangying@huawei.com</email> <email>zhengguangying@huawei.com</email>
</address> </address>
</author> </author>
<author fullname="Michael Wang" initials="M." role="editor" surname="Wang"> <author fullname="Michael Wang" initials="M." role="editor" surname="Wang">
<organization abbrev="Huawei">Huawei Technologies, Co., <organization abbrev="Huawei">Huawei Technologies, Co.,
Ltd</organization> Ltd</organization>
<address> <address>
<postal> <postal>
<street>101 Software Avenue, Yuhua District</street> <extaddr>Yuhua District</extaddr>
<street>101 Software Avenue</street>
<street/>
<city>Nanjing</city> <city>Nanjing</city>
<region/>
<code>210012</code> <code>210012</code>
<country>China</country> <country>China</country>
</postal> </postal>
<email>wangzitao@huawei.com</email> <email>wangzitao@huawei.com</email>
</address> </address>
</author> </author>
<date year="2021" month="August" />
<area>Operations and Management</area>
<workgroup>OPSAWG</workgroup>
<date year="2021"/> <keyword>Authentication</keyword>
<keyword>Authorization</keyword>
<area>Ops Area</area> <keyword>Accounting</keyword>
<keyword>Authentication, Authorization, and Accounting</keyword>
<workgroup>Opsawg</workgroup> <keyword>AAA</keyword>
<keyword>(AAA)</keyword>
<abstract> <abstract>
<t>This document defines a Terminal Access Controller Access-Control <t>This document defines a Terminal Access Controller Access-Control
System Plus (TACACS+) client YANG module, that augments the System System Plus (TACACS+) client YANG module that augments the System
Management data model, defined in RFC 7317, to allow devices to make use Management data model, defined in RFC 7317, to allow devices to make use
of TACACS+ servers for centralized Authentication, Authorization and of TACACS+ servers for centralized Authentication, Authorization, and
Accounting (AAA). Though being a standard module, this module does not Accounting (AAA). Though being a standard module, this module does not
endorse the security mechanisms of the TACACS+ protocol (RFC 8907) and endorse the security mechanisms of the TACACS+ protocol (RFC 8907), and
TACACS+ MUST be used within a secure deployment.</t> TACACS+ <bcp14>MUST</bcp14> be used within a secure deployment.</t>
<t>The YANG module in this document conforms to the Network Management <t>The YANG module in this document conforms to the Network Management
Datastore Architecture (NMDA) defined in RFC 8342.</t> Datastore Architecture (NMDA) defined in RFC 8342.</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section title="Introduction"> <section numbered="true" toc="default">
<name>Introduction</name>
<t>This document defines a YANG module that augments the System <t>This document defines a YANG module that augments the System
Management data model defined in the <xref target="RFC7317"/> to support Management data model defined in <xref target="RFC7317" format="default"/> to support
the configuration and management of TACACS+ clients.</t> the configuration and management of TACACS+ clients.</t>
<t>TACACS+ <xref target="RFC8907" format="default"/> provides device
administration for routers, network access servers, and other networked
devices via one or more centralized servers.</t>
<t><xref target="RFC7317" format="default">The System Management data mode
l</xref> defines
separate functionality to support local and RADIUS authentication: </t>
<dl>
<dt>User Authentication Model: </dt>
<dd>Defines a list of usernames with associated passwords and a configuration
leaf to decide the order in which local or RADIUS authentication is used. </dd>
<t>TACACS+ <xref target="RFC8907"/> provides device administration for <dt>RADIUS Client Model: </dt>
routers, network access servers and other networked devices via one or <dd>Defines a list of RADIUS servers used by a device for centralized user
more centralized servers.</t> authentication. </dd>
</dl>
<t><xref target="RFC7317">The System Management Model</xref> defines
separate functionality to support local and RADIUS authentication: <list
style="symbols">
<t>User Authentication Model: Defines a list of usernames with
associated passwords and a configuration leaf to decide the order in
which local or RADIUS authentication is used.</t>
<t>RADIUS Client Model: Defines a list of RADIUS servers used by a
device for centralized user authentication.</t>
</list></t>
<t>The System Management Model is augmented with the TACACS+ YANG module <t>The System Management data model is augmented with the TACACS+ YANG module
defined in this document to allow the use of TACACS+ servers as an defined in this document to allow the use of TACACS+ servers as an
alternative to RADIUS servers.</t> alternative to RADIUS servers.</t>
<t>The YANG module can be used with network management protocols such as <t>The YANG module can be used with network management protocols such as
NETCONF<xref target="RFC6241"/>.</t> the Network Configuration Protocol (NETCONF) <xref target="RFC6241"
format="default"/>.</t>
<t>The YANG module in this document conforms to the Network Management <t>The YANG module in this document conforms to the Network Management
Datastore Architecture (NMDA) defined in <xref target="RFC8342"/>.</t> Datastore Architecture (NMDA) defined in <xref target="RFC8342" format="de fault"/>.</t>
</section> </section>
<section numbered="true" toc="default">
<name>Conventions Used in This Document</name>
<section title="Conventions used in this document"> <t>
<t>The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
"OPTIONAL" in this document are to be interpreted as described in BCP14, NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
<xref target="RFC2119"/>, <xref target="RFC8174"/> when, and only when, "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
they appear in all capitals, as shown here.</t> "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are
to be interpreted as described in BCP&nbsp;14 <xref target="RFC2119"/>
<t>The following terms are defined in <xref target="RFC6241"/> and are <xref target="RFC8174"/> when, and only when, they appear in all capitals,
used in this specification: <list style="symbols"> as shown here.
<t>configuration data</t> </t>
<t>state data</t>
</list></t>
<t>The following terms are defined in <xref target="RFC7950"/> and are
used in this specification: <list style="symbols">
<t>augment</t>
<t>data model</t>
<t>data node</t>
</list>The terminology for describing YANG data models is found in
<xref target="RFC7950"/>.</t>
<section anchor="tree-diagrams" title="Tree Diagrams"> <t>The following terms are defined in <xref target="RFC6241" format="default"/>
and are
used in this specification: </t>
<ul spacing="normal">
<li>configuration data</li>
<li>state data</li>
</ul>
<t>The following terms are defined in <xref target="RFC7950" format="defau
lt"/> and are
used in this specification: </t>
<ul spacing="normal">
<li>augment</li>
<li>data model</li>
<li>data node</li>
</ul>
<t>The terminology for describing YANG data models is found in
<xref target="RFC7950" format="default"/>.</t>
<section anchor="tree-diagrams" numbered="true" toc="default">
<name>Tree Diagrams</name>
<t>The tree diagram used in this document follows the notation defined <t>The tree diagram used in this document follows the notation defined
in <xref target="RFC8340"/>.</t> in <xref target="RFC8340" format="default"/>.</t>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="Design of the TACACS+ Data Model"> <name>Design of the TACACS+ Data Model</name>
<t>This module is used to configure a TACACS+ client on a device to <t>This module is used to configure a TACACS+ client on a device to
support deployment scenarios with centralized authentication, support deployment scenarios with centralized authentication,
authorization, and accounting servers. Authentication is used to authorization, and accounting servers. Authentication is used to
validate a user's username and password, authorization allows the user validate a user's username and password, authorization allows the user
to access and execute commands at various privilege levels assigned to to access and execute commands at various privilege levels assigned to
the user, and accounting keeps track of the activity of a user who has the user, and accounting keeps track of the activity of a user who has
accessed the device.</t> accessed the device.</t>
<t>The ietf-system-tacacs-plus module augments the "/sys:system" path <t>The ietf-system-tacacs-plus module augments the "/sys:system" path
defined in the ietf-system module with the contents of the "tacacs-plus" defined in the ietf-system module with the contents of the "tacacs-plus"
grouping. Therefore, a device can use local, RADIUS, or TACACS+ to grouping. Therefore, a device can use local, RADIUS, or TACACS+ authentica tion to
validate users who attempt to access the router by several mechanisms, validate users who attempt to access the router by several mechanisms,
e.g., a command line interface or a web-based user interface.</t> e.g., a command line interface or a web-based user interface.</t>
<t>The "server" list is directly under the "tacacs-plus" container, <t>The "server" list, which is directly under the "tacacs-plus" container,
which holds a list of TACACS+ servers and uses server-type to holds a list of TACACS+ servers and uses server-type to
distinguish between Authentication, Authorization and Accounting (AAA). distinguish between Authentication, Authorization, and Accounting (AAA) se
rvices.
The list of servers is for redundancy.</t> The list of servers is for redundancy.</t>
<t>Most of the parameters in the "server" list are taken directly from <t>Most of the parameters in the "server" list are taken directly from
<xref target="RFC8907">the TACACS+ protocol </xref>, and some are the <xref target="RFC8907" format="default">TACACS+ protocol </xref>,
derived from the various implementations by network equipment and some are derived from the various implementations by network
manufacturers. For example, when there are multiple interfaces connected equipment manufacturers. For example, when there are multiple interfaces
to the TACACS+ client or server, the source address of outgoing TACACS+ connected to the TACACS+ client or server, the source address of
packets could be specified, or the source address could be specified outgoing TACACS+ packets could be specified, or the source address could
through the interface IP address setting, or derived from the outbound be specified through the interface IP address setting or derived from
interface from the local Forwarding Information Base (FIB). For the the outbound interface from the local Forwarding Information Base
TACACS+ server located in a Virtual Private Network (VPN), a VPN Routing (FIB). For the TACACS+ server located in a Virtual Private Network
and Forwarding (VRF) instance needs to be specified.</t> (VPN), a VPN Routing and Forwarding (VRF) instance needs to be
specified.</t>
<t>The "statistics" container under the "server list" is a collection of <t>The "statistics" container under the "server list" is a collection of
read-only counters for sent and received messages from a configured read-only counters for sent and received messages from a configured
server.</t> server.</t>
<t>The YANG module for TACACS+ client has the following structure:</t> <t>The YANG module for TACACS+ client has the following structure:</t>
<sourcecode name="ietf-system-tacacs-plus" type="yangtree"><![CDATA[
<figure>
<artwork><![CDATA[
module: ietf-system-tacacs-plus module: ietf-system-tacacs-plus
augment /sys:system: augment /sys:system:
+--rw tacacs-plus +--rw tacacs-plus
+--rw server* [name] +--rw server* [name]
+--rw name string +--rw name string
+--rw server-type tacacs-plus-server-type +--rw server-type tacacs-plus-server-type
+--rw address inet:host +--rw address inet:host
+--rw port? inet:port-number +--rw port? inet:port-number
+--rw (security) +--rw (security)
| +--:(obfuscation) | +--:(obfuscation)
skipping to change at line 247 skipping to change at line 210
+--ro statistics +--ro statistics
+--ro connection-opens? yang:counter64 +--ro connection-opens? yang:counter64
+--ro connection-closes? yang:counter64 +--ro connection-closes? yang:counter64
+--ro connection-aborts? yang:counter64 +--ro connection-aborts? yang:counter64
+--ro connection-failures? yang:counter64 +--ro connection-failures? yang:counter64
+--ro connection-timeouts? yang:counter64 +--ro connection-timeouts? yang:counter64
+--ro messages-sent? yang:counter64 +--ro messages-sent? yang:counter64
+--ro messages-received? yang:counter64 +--ro messages-received? yang:counter64
+--ro errors-received? yang:counter64 +--ro errors-received? yang:counter64
+--ro sessions? yang:counter64 +--ro sessions? yang:counter64
]]></sourcecode>
]]></artwork>
</figure>
</section> </section>
<section numbered="true" toc="default">
<name>TACACS+ Client Module</name>
<t>This YANG module imports typedefs from <xref target="RFC6991" format="d
efault"/>. This
module also uses the interface typedef from <xref target="RFC8343" format=
"default"/>,
the leafref to VRF instance from <xref target="RFC8529" format="default"/>
, and the
"default-deny-all" extension statement from <xref target="RFC8341" format=
"default"/>.</t>
<section title="TACACS+ Client Module"> <sourcecode name="ietf-system-tacacs-plus@2021-07-26.yang" type="yang" mar
<t>This YANG module imports typedefs from <xref target="RFC6991"/>. This kers="true"><![CDATA[
module also uses the interface typedef from <xref target="RFC8343"/>, module ietf-system-tacacs-plus {
the leafref to VRF instance from <xref target="RFC8529"/>, and the
"default-deny-all" extension statement from <xref
target="RFC8341"/>.</t>
<t>&lt;CODE BEGINS&gt; file
"ietf-system-tacacs-plus@2021-05-13.yang"</t>
<figure>
<artwork><![CDATA[module ietf-system-tacacs-plus {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus"; namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus";
prefix sys-tcs-plus; prefix sys-tcs-plus;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference reference
"RFC 6991: Common YANG Data Types"; "RFC 6991: Common YANG Data Types";
} }
import ietf-yang-types { import ietf-yang-types {
skipping to change at line 300 skipping to change at line 258
reference reference
"RFC 7317: A YANG Data Model for System Management"; "RFC 7317: A YANG Data Model for System Management";
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control Model"; "RFC 8341: Network Configuration Access Control Model";
} }
organization organization
"IETF Opsawg (Operations and Management Area Working Group)"; "IETF OPSAWG (Operations and Management Area Working Group)";
contact contact
"WG Web: <http://tools.ietf.org/wg/opsawg/> "WG Web: <http://datatracker.ietf.org/wg/opsawg/>
WG List: <mailto:opsawg@ietf.org> WG List: <mailto:opsawg@ietf.org>
Editor: Bo Wu <lana.wubo@huawei.com> Editor: Bo Wu <lana.wubo@huawei.com>
Editor: Guangying Zheng <zhengguangying@huawei.com>"; Editor: Guangying Zheng <zhengguangying@huawei.com>";
description description
"This module provides configuration of TACACS+ client. "This module provides configuration of TACACS+ client.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here.
Copyright (c) 2021 IETF Trust and the persons identified as Copyright (c) 2021 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the
RFC itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here.";
// RFC Ed.: update the date below with the date of RFC This version of this YANG module is part of RFC 9105; see the
// publication and remove this note. RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove
// this note.
revision 2021-05-13 { revision 2021-07-26 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Module for TACACS+"; "RFC 9105: A YANG Data Model for Terminal Access Controller
Access-Control System Plus (TACACS+)";
} }
typedef tacacs-plus-server-type { typedef tacacs-plus-server-type {
type bits { type bits {
bit authentication { bit authentication {
description description
"Indicates that the TACACS+ server is providing authentication "Indicates that the TACACS+ server is providing
services."; authentication services.";
} }
bit authorization { bit authorization {
description description
"Indicates that the TACACS+ server is providing authorization "Indicates that the TACACS+ server is providing
services."; authorization services.";
} }
bit accounting { bit accounting {
description description
"Indicates that the TACACS+ server is providing accounting "Indicates that the TACACS+ server is providing accounting
services."; services.";
} }
} }
description description
"tacacs-plus-server-type can be set to "tacacs-plus-server-type can be set to
authentication/authorization/accounting authentication/authorization/accounting
skipping to change at line 375 skipping to change at line 329
identity tacacs-plus { identity tacacs-plus {
base sys:authentication-method; base sys:authentication-method;
description description
"Indicates AAA operation using TACACS+."; "Indicates AAA operation using TACACS+.";
reference reference
"RFC 8907: The TACACS+ Protocol"; "RFC 8907: The TACACS+ Protocol";
} }
grouping statistics { grouping statistics {
description description
"Grouping for TACACS+ statistics attributes"; "Grouping for TACACS+ statistics attributes.";
container statistics { container statistics {
config false; config false;
description description
"A collection of server-related statistics objects"; "A collection of server-related statistics objects.";
leaf connection-opens { leaf connection-opens {
type yang:counter64; type yang:counter64;
description description
"Number of new connection requests sent to the server, e.g., "Number of new connection requests sent to the server,
socket open"; e.g., socket open.";
} }
leaf connection-closes { leaf connection-closes {
type yang:counter64; type yang:counter64;
description description
"Number of connection close requests sent to the server, e.g., "Number of connection close requests sent to the server,
socket close"; e.g., socket close.";
} }
leaf connection-aborts { leaf connection-aborts {
type yang:counter64; type yang:counter64;
description description
"Number of aborted connections to the server. These do "Number of aborted connections to the server. These do
not include connections that are closed gracefully."; not include connections that are closed gracefully.";
} }
leaf connection-failures { leaf connection-failures {
type yang:counter64; type yang:counter64;
description description
"Number of connection failures to the server"; "Number of connection failures to the server.";
} }
leaf connection-timeouts { leaf connection-timeouts {
type yang:counter64; type yang:counter64;
description description
"Number of connection timeouts to the server"; "Number of connection timeouts to the server.";
} }
leaf messages-sent { leaf messages-sent {
type yang:counter64; type yang:counter64;
description description
"Number of messages sent to the server"; "Number of messages sent to the server.";
} }
leaf messages-received { leaf messages-received {
type yang:counter64; type yang:counter64;
description description
"Number of messages received from the server"; "Number of messages received from the server.";
} }
leaf errors-received { leaf errors-received {
type yang:counter64; type yang:counter64;
description description
"Number of error messages received from the server"; "Number of error messages received from the server.";
} }
leaf sessions { leaf sessions {
type yang:counter64; type yang:counter64;
description description
"Number of TACACS+ sessions completed with the server. "Number of TACACS+ sessions completed with the server.
If the Single Connection Mode was NOT enabled, the number of If the Single Connection Mode was NOT enabled, the number
sessions is the same as the number of 'connection-closes'. of sessions is the same as the number of
If the Mode was enabled, a single TCP connection may contain 'connection-closes'. If the Mode was enabled, a single
multiple TACACS+ sessions."; TCP connection may contain multiple TACACS+ sessions.";
} }
} }
} }
grouping tacacs-plus { grouping tacacs-plus {
description description
"Grouping for TACACS+ attributes"; "Grouping for TACACS+ attributes.";
container tacacs-plus { container tacacs-plus {
must "not(derived-from-or-self(../sys:authentication" must "not(derived-from-or-self(../sys:authentication"
+ "/sys:user-authentication-order, 'tacacs-plus'))" + "/sys:user-authentication-order, 'tacacs-plus'))"
+ " or bit-is-set(server/server-type,'authentication')" { + " or bit-is-set(server/server-type,'authentication')" {
error-message "When 'tacacs-plus' is used as a system" error-message "When 'tacacs-plus' is used as a system"
+ " authentication method, a TACACS+ authentication" + " authentication method, a TACACS+"
+ " server must be configured."; + " authentication server must be configured.";
description description
"When 'tacacs-plus' is used as an authentication method, "When 'tacacs-plus' is used as an authentication method,
a TACACS+ server must be configured."; a TACACS+ server must be configured.";
} }
description description
"Container for TACACS+ configurations and operations."; "Container for TACACS+ configurations and operations.";
list server { list server {
key "name"; key "name";
ordered-by user; ordered-by user;
description description
skipping to change at line 484 skipping to change at line 438
leaf port { leaf port {
type inet:port-number; type inet:port-number;
default "49"; default "49";
description description
"The port number of TACACS+ Server port."; "The port number of TACACS+ Server port.";
} }
choice security { choice security {
mandatory true; mandatory true;
description description
"Security mechanism between TACACS+ client and server. "Security mechanism between TACACS+ client and server.
This is modelled as a YANG 'choice' so that it can be This is modeled as a YANG 'choice' so that it can be
augmented by a YANG module in a backwards compatible augmented by a YANG module in a backwards-compatible
manner."; manner.";
case obfuscation { case obfuscation {
leaf shared-secret { leaf shared-secret {
type string { type string {
length "1..max"; length "1..max";
} }
nacm:default-deny-all; nacm:default-deny-all;
description description
"The shared secret, which is known to both the "The shared secret, which is known to both the
TACACS+ client and server. TACACS+ server TACACS+ client and server. TACACS+ server
administrators SHOULD configure a shared secret of administrators SHOULD configure a shared secret with
minimum 16 characters length. a minimum length of 16 characters.
It is highly recommended that this shared secret is It is highly recommended that this shared secret is
at least 32 characters long and sufficiently complex at least 32 characters long and sufficiently complex
with a mix of different character types with a mix of different character types,
i.e. upper case, lower case, numeric, punctuation. i.e., upper case, lower case, numeric, and
Note that this security mechanism is best described as punctuation. Note that this security mechanism is
'obfuscation' and not 'encryption' as it does not best described as 'obfuscation' and not 'encryption'
provide any meaningful integrity, privacy, or replay as it does not provide any meaningful integrity,
protection."; privacy, or replay protection.";
reference reference
"RFC 8907: The TACACS+ Protocol"; "RFC 8907: The TACACS+ Protocol";
} }
} }
} }
choice source-type { choice source-type {
description description
"The source address type for outbound TACACS+ packets."; "The source address type for outbound TACACS+ packets.";
case source-ip { case source-ip {
leaf source-ip { leaf source-ip {
type inet:ip-address; type inet:ip-address;
description description
"Specifies source IP address for TACACS+ outbound "Specifies source IP address for TACACS+ outbound
packets."; packets.";
} }
} }
case source-interface { case source-interface {
leaf source-interface { leaf source-interface {
type if:interface-ref; type if:interface-ref;
description description
"Specifies the interface from which the IP address is "Specifies the interface from which the IP address
derived for use as the source for the outbound TACACS+ is derived for use as the source for the outbound
packet"; TACACS+ packet.";
} }
} }
} }
leaf vrf-instance { leaf vrf-instance {
type leafref { type leafref {
path "/ni:network-instances/ni:network-instance/ni:name"; path "/ni:network-instances/ni:network-instance/ni:name";
} }
description description
"Specifies the VPN Routing and Forwarding (VRF) instance to "Specifies the VPN Routing and Forwarding (VRF) instance
use to communicate with the TACACS+ server."; to use to communicate with the TACACS+ server.";
reference reference
"RFC 8529: YANG Data Model for Network Instances"; "RFC 8529: YANG Data Model for Network Instances";
} }
leaf single-connection { leaf single-connection {
type boolean; type boolean;
default "false"; default "false";
description description
"Whether the single connection mode is enabled for the "Indicates whether the Single Connection Mode is enabled
server. By default, the single connection mode is for the server. By default, the Single Connection Mode
disabled."; is disabled.";
} }
leaf timeout { leaf timeout {
type uint16 { type uint16 {
range "1..max"; range "1..max";
} }
units "seconds"; units "seconds";
default "5"; default "5";
description description
"The number of seconds the device will wait for a "The number of seconds the device will wait for a
response from each TACACS+ server before trying with a response from each TACACS+ server before trying with a
different server."; different server.";
} }
uses statistics; uses statistics;
} }
} }
} }
augment "/sys:system" { augment "/sys:system" {
description description
"Augment the system model with the tacacs-plus model"; "Augments the system model with the tacacs-plus model.";
uses tacacs-plus; uses tacacs-plus;
} }
} }
]]></sourcecode>
]]></artwork>
</figure>
<t>&lt;CODE ENDS&gt;</t>
</section> </section>
<section numbered="true" toc="default">
<name>Security Considerations</name>
<section title="Security Considerations"> <t>The YANG module specified in this document defines a schema for data
<t>The YANG module defined in this document is designed to be accessed that is designed to be accessed via network management protocols such as
via network management protocols such as NETCONF <xref NETCONF <xref target="RFC6241" format="default"/> or RESTCONF <xref
target="RFC6241"/> or RESTCONF <xref target="RFC8040"/>. The lowest target="RFC8040" format="default"/>. The lowest NETCONF layer is the
NETCONF layer is the secure transport layer, and the secure transport layer, and the mandatory-to-implement secure transport
mandatory-to-implement secure transport is Secure Shell (SSH) <xref is Secure Shell (SSH) <xref target="RFC6242" format="default"/>. The
target="RFC6242"/>. The lowest RESTCONF layer is HTTPS, and the lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure
mandatory-to-implement secure transport is TLS <xref transport is TLS <xref target="RFC8446" format="default"/>.</t>
target="RFC8446"/>.</t> <t>The Network Configuration Access Control Model (NACM) <xref
target="RFC8341" format="default"/> provides the means to restrict
<t>The NETCONF access control model <xref target="RFC8341"/> provides access for particular NETCONF or RESTCONF users to a preconfigured
the means to restrict access for particular NETCONF or RESTCONF users to subset of all available NETCONF or RESTCONF protocol operations and
a preconfigured subset of all available NETCONF or RESTCONF protocol content.</t>
operations and content.</t>
<t>There are a number of data nodes defined in this YANG module that are <t>There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, which is the default). writable/creatable/deletable (i.e., config true, which is the default).
These data nodes may be considered sensitive or vulnerable in some These data nodes may be considered sensitive or vulnerable in some
network environments. Write operations (e.g., edit-config) to these data network environments. Write operations (e.g., edit-config) to these data
nodes without proper protection can have a negative effect on network nodes without proper protection can have a negative effect on network
operations. These are the subtrees and data nodes and their operations. These are the subtrees and data nodes and their
sensitivity/vulnerability:</t> sensitivity/vulnerability:</t>
<t><list style="hanging"> <dl newline="false" spacing="normal">
<t hangText="/system/tacacsplus/server:">This list contains the data <dt>/system/tacacs-plus/server:</dt>
<dd>This list contains the data
nodes used to control the TACACS+ servers used by the device. nodes used to control the TACACS+ servers used by the device.
Unauthorized access to this list could enable an attacker to assume Unauthorized access to this list could enable an attacker to assume
complete control over the device by pointing to a compromised complete control over the device by pointing to a compromised
TACACS+ server ,or to modify the counters to hide attacks against TACACS+ server, or to modify the counters to hide attacks against
the device.</t> the device.</dd>
<dt>/system/tacacs-plus/server/shared-secret:</dt>
<t hangText="/system/tacacsplus/server/shared-secret:">This leaf <dd>This leaf controls the key known to both the TACACS+ client and
controls the key known to both the TACACS+ client and server. server. Unauthorized access to this leaf could make the device
Unauthorized access to this leaf could make the device vulnerable to vulnerable to attacks; therefore, it has been restricted using the
attacks, therefore it has been restricted using the "default-deny-all" access control defined in <xref target="RFC8341"
"default-deny-all" access control defined in <xref format="default"/>. When setting, it is highly recommended that the
target="RFC8341"/>. When setting, it is highly recommended that the leaf is at least 32 characters long and sufficiently complex with a
leaf is at least 32 characters long and sufficiently complex with a mix of different character types, i.e., upper case, lower case,
mix of different character types i.e. upper case, lower case, numeric, and punctuation.</dd>
numeric, punctuation.</t> </dl>
</list></t>
<t>This document describes the use of TACACS+ for purposes of <t>This document describes the use of TACACS+ for purposes of
authentication, authorization and accounting, it is vulnerable to all of authentication, authorization, and accounting; it is vulnerable to all
the threats that are present in TACACS+ applications. For a discussion of the threats that are present in TACACS+ applications. For a
of such threats, see Section 10 of <xref target="RFC8907">the TACACS+ discussion of such threats, see <xref target="RFC8907"
Protocol</xref>.</t> sectionFormat="of" section="10" format="default">the TACACS+
protocol</xref>.</t>
<t/>
</section> </section>
<section numbered="true" toc="default">
<name>IANA Considerations</name>
<t>IANA has registered the following URI in the "ns" subregistry within th
e "IETF XML Registry" <xref target="RFC3688" format="default"/>:</t>
<section title="IANA Considerations"> <dl spacing="compact">
<t>This document registers a URI in the IETF XML registry <xref <dt>URI:</dt> <dd>urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus </dd>
target="RFC3688"/>. Following the format in <xref target="RFC3688"/>, <dt>Registrant Contact: </dt> <dd>The IESG. </dd>
the following registration is requested to be made:</t> <dt>XML: </dt> <dd>N/A, the requested URI is an XML namespace. </dd>
</dl>
<figure> <t>IANA has registered the following YANG module in the "YANG Module Names
<artwork><![CDATA[ "
URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus registry <xref target="RFC7950" format="default"/>:</t>
Registrant Contact: The IESG.
XML: N/A, the requested URI is an XML namespace.]]></artwork>
</figure>
<t>This document registers a YANG module in the YANG Module Names <dl spacing="compact">
registry <xref target="RFC7950"/>.</t> <dt>Name: </dt> <dd>ietf-system-tacacs-plus </dd>
<dt>Maintained by IANA: </dt> <dd>N </dd>
<dt>Namespace: </dt> <dd>urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus </d
d>
<dt>Prefix: </dt> <dd>sys-tcs-plus </dd>
<dt>Reference: </dt> <dd>RFC 9105 </dd>
</dl>
<figure>
<artwork><![CDATA[
Name: ietf-system-tacacs-plus
Namespace: urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus
Prefix: sys-tcs-plus
Reference: RFC XXXX (RFC Ed.: replace XXXX with actual
RFC number and remove this note.)]]></artwork>
</figure>
</section> </section>
<section title="Acknowledgments">
<t>The authors wish to thank Alex Campbell, John Heasley, Ebben Aries,
Alan DeKok, Joe Clarke, Joe Clarke, Tom Petch, Robert Wilton, and many
others for their helpful comments and suggestions.</t>
</section>
</middle> </middle>
<back> <back>
<references title="Normative References"> <references>
<?rfc include='reference.RFC.8907'?> <name>References</name>
<references>
<?rfc include='reference.RFC.2119'?> <name>Normative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include='reference.RFC.6241'?> FC.8907.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include='reference.RFC.6242'?> FC.2119.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include='reference.RFC.8340'?> FC.6241.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include='reference.RFC.7950'?> FC.6242.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include='reference.RFC.7317'?> FC.8340.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include='reference.RFC.8040'?> FC.7950.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include='reference.RFC.6991'?> FC.7317.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include='reference.RFC.8174'?> FC.8040.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include='reference.RFC.8341'?> FC.6991.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include='reference.RFC.8342'?> FC.8174.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include='reference.RFC.8446'?> FC.8341.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include='reference.RFC.8343'?> FC.8342.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include='reference.RFC.8529'?> FC.8446.xml"/>
</references> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.8343.xml"/>
<references title="Informative References"> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include='reference.RFC.3688'?> FC.8529.xml"/>
</references>
<references>
<name>Informative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.3688.xml"/>
</references>
</references> </references>
<section numbered="true" toc="default">
<section title="Example TACACS+ Authentication Configuration"> <name>Example TACACS+ Authentication Configuration</name>
<t>The following shows an example where a TACACS+ authentication server <t>The following shows an example where a TACACS+ authentication server
instance is configured.</t> instance is configured.</t>
<figure> <sourcecode type=""><![CDATA[ {
<artwork><![CDATA[ {
"ietf-system:system": { "ietf-system:system": {
"authentication": { "authentication": {
"user-authentication-order": [tacacs-plus, local-users] "user-authentication-order": [tacacs-plus, local-users]
} }
"tacacs-plus": { "tacacs-plus": {
"server": [ "server": [
{ {
"name": "tac_plus1", "name": "tac_plus1",
"server-type": "authentication", "server-type": "authentication",
"address": "192.0.2.2", "address": "192.0.2.2",
"shared-secret": "QaEfThUkO198010075460923+h3TbE8n", "shared-secret": "QaEfThUkO198010075460923+h3TbE8n",
"source-ip": "192.0.2.12", "source-ip": "192.0.2.12",
"timeout": "10" "timeout": "10"
} }
] ]
} }
} }
}]]></artwork> }]]></sourcecode>
</figure>
</section> </section>
<section numbered="false" toc="default">
<name>Acknowledgments</name>
<t>The authors wish to thank <contact fullname="Alex Campbell"/>,
<contact fullname="John Heasley"/>, <contact fullname="Ebben Aries"/>,
<contact fullname="Alan DeKok"/>, <contact fullname="Joe Clarke"/>,
<contact fullname="Tom Petch"/>, <contact fullname="Robert Wilton"/>,
and many others for their helpful comments and suggestions.</t>
</section>
</back> </back>
</rfc> </rfc>
 End of changes. 101 change blocks. 
318 lines changed or deleted 278 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/